${CLAUDE_PLUGIN_ROOT} does not expand in skill frontmatter allowed-tools, so check (and siblings) grant Bash(python3 *) — any python3 invocation pre-approved, not just check-mechanical.py. Check also grants Bash(git *) while its body forbids hand-rolled git diff (git is script-internal).
The check body documents the workaround inline, but the broad grant is a real permission-surface cost for consumer repos. Options: thin scripts/sdd-check wrapper w/ a stable name allowed-tools can pin; or narrow the pattern to Bash(python3 */check-mechanical.py *) if glob position allows; drop Bash(git *) from check if truly unused outside the script. Upstream ask: env-var expansion in allowed-tools.
${CLAUDE_PLUGIN_ROOT}does not expand in skill frontmatterallowed-tools, so check (and siblings) grantBash(python3 *)— any python3 invocation pre-approved, not justcheck-mechanical.py. Check also grantsBash(git *)while its body forbids hand-rolledgit diff(git is script-internal).The check body documents the workaround inline, but the broad grant is a real permission-surface cost for consumer repos. Options: thin
scripts/sdd-checkwrapper w/ a stable name allowed-tools can pin; or narrow the pattern toBash(python3 */check-mechanical.py *)if glob position allows; dropBash(git *)from check if truly unused outside the script. Upstream ask: env-var expansion in allowed-tools.